| From d79026d5203db7d9205b7206307fe0499d00ce70 Mon Sep 17 00:00:00 2001 |
| From: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com> |
| Date: Fri, 18 May 2018 16:41:57 -0400 |
| Subject: [PATCH 1195/1795] media: vsp1: Protect bodies against overflow |
| |
| The body write function relies on the code never asking it to write more |
| than the entries available in the list. |
| |
| Currently with each list body containing 256 entries, this is fine, but |
| we can reduce this number greatly saving memory. In preparation of this |
| add a level of protection to catch any buffer overflows. |
| |
| Signed-off-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com> |
| Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com> |
| Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> |
| (cherry picked from commit 076673419741c1c769f59536c199234937df1762) |
| Signed-off-by: Simon Horman <horms+renesas@verge.net.au> |
| Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be> |
| --- |
| drivers/media/platform/vsp1/vsp1_dl.c | 7 +++++++ |
| 1 file changed, 7 insertions(+) |
| |
| diff --git a/drivers/media/platform/vsp1/vsp1_dl.c b/drivers/media/platform/vsp1/vsp1_dl.c |
| index 083da4f05c20..51965c30dec2 100644 |
| --- a/drivers/media/platform/vsp1/vsp1_dl.c |
| +++ b/drivers/media/platform/vsp1/vsp1_dl.c |
| @@ -46,6 +46,7 @@ struct vsp1_dl_entry { |
| * @dma: DMA address of the entries |
| * @size: size of the DMA memory in bytes |
| * @num_entries: number of stored entries |
| + * @max_entries: number of entries available |
| */ |
| struct vsp1_dl_body { |
| struct list_head list; |
| @@ -56,6 +57,7 @@ struct vsp1_dl_body { |
| size_t size; |
| |
| unsigned int num_entries; |
| + unsigned int max_entries; |
| }; |
| |
| /** |
| @@ -138,6 +140,7 @@ static int vsp1_dl_body_init(struct vsp1_device *vsp1, |
| |
| dlb->vsp1 = vsp1; |
| dlb->size = size; |
| + dlb->max_entries = num_entries; |
| |
| dlb->entries = dma_alloc_wc(vsp1->bus_master, dlb->size, &dlb->dma, |
| GFP_KERNEL); |
| @@ -219,6 +222,10 @@ void vsp1_dl_body_free(struct vsp1_dl_body *dlb) |
| */ |
| void vsp1_dl_body_write(struct vsp1_dl_body *dlb, u32 reg, u32 data) |
| { |
| + if (WARN_ONCE(dlb->num_entries >= dlb->max_entries, |
| + "DLB size exceeded (max %u)", dlb->max_entries)) |
| + return; |
| + |
| dlb->entries[dlb->num_entries].addr = reg; |
| dlb->entries[dlb->num_entries].data = data; |
| dlb->num_entries++; |
| -- |
| 2.19.0 |
| |